A bot that targets sports websites is costing advertisers $250 million a year

Ad fraud detector Forensiq says the NFL, ESPN and all major sports sites are affected.

Malicious code could be responsible for a huge portion of the traffic generated by American sports websites, according to a new analysis by ad fraud detection company Forensiq. Advertisers are wasting as much as $250 million every year on ads that are being shown to bots, not legitimate viewers of some of the most popular sports platforms in the country.

As much as 75 percent of pre-bid requests for the official sites of all 32 NFL teams were flagged as invalid by Forensiq’s latest fraud detection algorithm. Fraudulent requests were also found at high rates on the official pages for the NFL, NBA, NHL and MLB, as well as sports journalism sites like ESPN, Sports Illustrated, Bleacher Report, Deadspin and sports portals for CBS, NBC and FOX.

It’s all happening without the knowledge of advertisers or the sites the ads are running on. "We have no evidence to show that agencies or publishers are involved," said Amit Joshi, director of product and data science at Forensiq. "In fact, it is very likely they are unaware that the traffic is non-human. In terms of ultimate actors, we're still looking into this. It's a complex operation and it's going to require more research."

The invalid traffic seems to be generated by malware unintentionally downloaded onto users’ personal devices. The bots open browser windows the user can’t see and loads ads in the background. "Most advertisers understand the concept of a bot stealing ad revenue on the web, but do not grasp that fraud is most often committed through device hijacking in-app," Joshi added.

Bot creators monetize the additional traffic, so affected sites don’t gain any revenue from the increased activity, and may suffer through depressed CPM, or when the ads they serve appear to be ineffective, since no one is actually viewing them.

These bots appear to be particularly sophisticated. Previous bots have hosted code on server farms, making the static IP addresses relatively easy to blacklist once they’re discovered. But the new bots hijack the devices of otherwise legitimate viewers, who are often viewing sites from different locations. It’s difficult to compile a database because new devices are always being infected, others are being cleaned of malware and advertisers don’t want to block these users altogether.

"The nature of fraud and fraud prevention is always that of a cat-and-mouse game, or whack-a-mole," Joshi said. "They will keep getting better, but we'll keep getting better, too. In the end, fraudulent behavior is always going to be fundamentally different from legitimate behavior, so there will always be clues for us to track."

The study is the result of three months of traffic analysis using the second generation of Forensiq’s algorithm. It tracked 9.7 billion requests across 46 websites.

To protect themselves, advertisers should vet media partners carefully, Joshi added. "It is important to monitor traffic quality throughout the life of a campaign, not just do an end of campaign lookback. At that point it is often already too late, and the ad dollars have already been lost."